tencent cloud

Feedback

Cluster Audit

Last updated: 2022-06-10 16:48:45

    From now to December 31, 2021, audit log and event data generated by EKS is free of charge. Select Auto-create Logset or select Auto-create Log Topic in an existing logset. For more information, see Free Tier.

    Overview

    Cluster auditing is a feature based on Kubernetes Auditing that can store and search for the records of JSON logs with configurable policies generated by kube-apiserver. It records the access events of kube-apiserver and the activities of each user, admin, or system add-on that has an impact on the cluster in sequence.

    Strengths

    Cluster auditing provides a cluster monitoring dimension other than metrics. After it is enabled, Kubernetes can record every audit log of operations on the cluster. An audit log is a structured record in JSON format and includes metadata, requestObject, and responseObject. Metadata (containing the request context, such as who initiated the request, where it was initiated, and the accessed URI) is required, while requestObject and responseObject are optional, depending on the audit level. You can learn about the following information from logs:

    • Activities that occur in the cluster.
    • Occurrence time and objects of an activity.
    • Activity triggering time, triggering positions, and observation points.
    • Activity results and subsequent processing.

    Example of how to read an audit log

    {
     "kind":"Event",
     "apiVersion":"audit.k8s.io/v1",
     "level":"RequestResponse",
     "auditID":0a4376d5-307a-4e16-a049-24e017******,
     "stage":"ResponseComplete",
     // What happened
     "requestURI":"/apis/apps/v1/namespaces/default/deployments",
     "verb":"create",
     // Who initiated the request
     "user":{
       "username":"admin",
         "uid":"admin",
         "groups":[
           "system:masters",
           "system:authenticated"
         ]
     },
     // Where was it initiated
     "sourceIPs":[
       "10.0.6.68"
     ],
     "userAgent":"kubectl/v1.16.3 (linux/amd64) kubernetes/ald64d8",
     // What happened
     "objectRef":{
       "resource":"deployments",
       "namespace":"default",
       "name":"nginx-deployment",
       "apiGroup":"apps",
       "apiVersion":"v1"
     },
     // What's the result
     "responseStatus":{
       "metadata":{
       },
       "code":201
     },
     // Request and response details
     "requestObject":Object{...},
     "responseObject":Object{...},
     // When did it start or end
     "requestReceivedTimestamp":"2020-04-10T10:47:34.315746Z",
     "stageTimestamp":"2020-04-10T10:47:34.328942Z",
     // Reason for accepting or rejecting the request
     "annotations":{
       "authorization.k8s.io/decision":"allow",
       "authorization.k8s.io/reason":""
     }
    }
    

    EKS Cluster Auditing Policy

    Audit level

    Unlike general logs, Kubernetes audit logs have a level that is more like a kind of verbose configuration, which is used to indicate the degree of detail of the recorded information. There are four levels as listed below:

    Parameter Description
    None Nothing is logged.
    Metadata The metadata (for example, user, time, resource, and operation) of the request is logged, excluding the message bodies of the request and response.
    Request The metadata and request message body are logged, excluding the response message body.
    RequestResponse All information is logged, including the metadata and the message bodies of the request and response.

    Audit stage

    Logging can occur at different stages as listed below:

    Parameter Description
    RequestReceived The log is created when the request is received.
    ResponseStarted The log is created after the message header of the response is sent. This parameter only applies to persistent connection requests, such as WATCH.
    ResponseComplete The log is created after the response is completely sent.
    Panic The request is not completed due to an internal server error.

    EKS audit policy

    By default, EKS creates audit logs when receiving requests. For most operations, audit logs at the RequestResponse level are created, except for the following cases:

    • GET, LIST, and WATCH requests are logged at the Request level.
    • Requests for Secrets, ConfigMaps, or TokenReviews are logged at the Metadata level.

    The following requests will not be logged:

    • Requests sent by system:kube-proxy to monitor Endpoints, Services, or Services/Status.
    • GET requests sent by system:unsecured for ConfigMaps in the kube-system namespace.
    • GET requests sent by kubelet for nodes or nodes/status.
    • GET and UPDATE requests sent by system:kube-controller-manager, system:kube-scheduler, or system:serviceaccount:endpoint-controller for Endpoints in the kube-system namespace.
    • GET requests sent by system:apiserver for namespaces, namespaces/status, or namespaces/finalize resources.
    • Requests sent to URLs that match /healthz*, /version, or /swagger*.

    Directions

    Enabling cluster auditing

    Note:

    To enable cluster auditing, you need to restart kube-apiserver. We recommend you not enable and disable it frequently.

    1. Log in to the TKE console.
    2. On the left sidebar, click Cluster Ops > Feature Management.
    3. At the top of the Feature Management page, select the region and the Elastic Cluster type as shown below:
    4. In the cluster list at the bottom, click Set in the Operation column on the right of the target cluster.
    5. In the Configure features pop-up window, click Edit on the right of Cluster Auditing as shown below:
    6. Select Enable Cluster Auditing and select the logset and log topic for storing audit logs. We recommend you select Auto-create Logset as shown below:
    7. Click OK.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support